The Transport layer passes information to the IP layer. The IP layer is responsible for actually moving the data from one host to another. It handles a number of differnt tasks required for communications to exist. This layer does not guarantee delivery, this is done by TCP.
Functions handled at this layer include:
- Routing datagrams
- Resolution of IP addresses to MAC addresses
- Fragmentation and re-assembly of datagrams
- Error detection and reporting
This layer is where ROUTING takes place.
Subnet mask enables you to extract the network ID. It's important to know the network ID because this will tell you if you are sending data to a local (no need to route) host or a remote (need to route data) host. If the host you are sending to is not local, then system needs to look at the remote IP address and use the routing table to figure out where to send data.
All devices that have IP have a routing table.
C:\>route print
Active Routes:
Network Address Netmask Gateway Address Interface Metric
0.0.0.0 0.0.0.0 56.88.21.1 56.88.21.254 1
56.88.0.0 255.255.0.0 56.88.21.254 56.88.21.254 1
56.88.21.254 255.255.255.255 127.0.0.1 127.0.0.1 1
56.255.255.255 255.255.255.255 56.88.21.254 56.88.21.254 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 224.0.0.0 56.88.21.254 56.88.21.254 1
255.255.255.255 255.255.255.255 56.88.21.254 56.88.21.254 1
From a host, the routing table generally does not contain actual routing information, except for the default gateway (router) address. Any packet destined for a remote host is normally sent to the default gateway. IP on the gateway then looks in its routing table for a route to remote network.
- Network Address is the actual network ID to which the entry describes a route.
- Netmask is subnet mask that can be used to genearte the network ID.
- Gateway Address is where you send the packet if it is a remote network ID to sender
- Interface Network interface to send it from (which NIC). Usually there is only one NIC and is used for all entries.
- Metric Number of routers or gateways this network is away.
network 0.0.0.0 with a netmask of 0.0.0.0 is the entry for the default gateway and is checked last. All addresses match this.
Look at page 81 figure 5.1 to see how IP choose a route.
Regardless of whether you are sending packet to local network or remote network, IP always sends the packet to the MAC address of host or router.
ARP handles resolution of hardware addresses to IP. ARP broadcasts IP addresses of remote host and IP and MAC addresses of host.
ARP works like this.
- It first checks the ARP cache to see if it has recently resolved the address. If it has it can pass that to IP so packet can be sent.
- If address is not in cache, ARP creates a broadcast packet that is sent on the network. (see page 82 figure 5.2). This packet contains the IP address sending system wants to resolve. It also contains the IP address and MAC address of you machine. When ARP broadcasts on network, all systems receive the packet and pass it up to IP layer, compares the IP address to see if there's a match. If so, it takes IP address and MAC address of that host and adds it to its own table. Creates an ARP reply to tell other system of MAC address. Now both systems know each other's IP and MAC address.
ARP cache entries expire after a short period of time (two minutes), if the address isn't used again. If it is used again, it will last for another 10 minutes
C:\>arp -a 56.88.21.1
Interface: 56.88.21.239 on Interface 2
Internet Address Physical Address Type
56.88.21.1 00-00-0c-07-ac-04 dynamic
TCP or UDP sends down its data to IP Layer. The IP Layer now creates the IP Datagram. IP adds its own header to the packet it received from the upper-layer protocol. The IP header contains all the information required for the packet to be delivered to the destination host. (See pages 84 - 86 for parts of IP header).
IP is responsible for delivering datagrams through the internetwork. An IP datagram can be as large as 64K. This is datagram is rather large and often times networks cannot support this size packet. (ie and Ethernet frame is 15 K.
MTU (Maximum Transfer Unit) describes the number of bytes in the maximum frame size that a network can deliver without fragmentation. (see page 87 figure 5.4).
No error detection and recovery mechanisms are implemented in the IP protocol. If a fragment is lost or damaged, IP cannot request that this fragment get retransmitted, rather IP is forced to report error to Upper-layer protocols which will retransmit entire datagram.
IP has no error correction for the data, however there is a method to report errors that happen in transit, ICMP (Internet Control Messaging Protocol). ICMP handles sending messages for controlling data streaming and for error reporting purposes. (see page 88 Figure 5.5 for ICMP packet).
Destination Unreachable provides infromation when a host, net, port or protocol is unreachable.
Time Exceeded notifies the source if a data gram is underliverable because its Time To Live (TTL) has expired.
Parameter Problem reports a parameter problem and the octet in which the error was detected.
Source Quench may be sent by destination routers or hosts forced to discard datagrams due to limitations in available buffer space, or if for any reason a datagram cannot be processed.
Redirect are sent to a host when a router receives a datagram that could be routed more directly through another gateway. Advices sender of datagram of a more appropriate router to receive the datagram.
Echo Request and Echo Reply Messages exchange data between hosts
Timestamp Request and Timestamp Reply exchange timestamp data between hosts.
Information Request and Information Reply used to enable a host to discover the network to which it was attached.
ICMP provides basic onnectivity utilities used by upper-layer protocols--utilities such as PING use these to perform their functions.
FTP (File Transfer Protocol) transfer files to and from a computer running FTP services. FTP is an interactive system. It must talk with an FTP server. It uses TCP to handle communications and creates a session between the hosts.
TFTP (Trivial File Transfer Protocol) is a connectionless file transfer protocol. Rarely used now.
RCP (Remote Copy Protocol) is another method of transfering files to or from a remote hosts.
Telnet Terminal Emulation. Allows you to log on to a remote system (mainframe, router) and to work on remote system has if you were sitting in front of it.
LPR Line Printer Request sends a print job to a remote system that is running LPD (Line Printer Daemon) service.
LPQ enables you to read the status of a print queue on a remote system.
Ping (Packet Internet Groper) sends a signal and listens for the echo to come back. (ICMP) Ping tests very basics of TCP/IP protocol.
IPConfig is used to check that all the appropriate configuration parameters are setup in the system.
Finger enables you to put the "finger" on another user on your network. It returns basic information about who the users are, how long they've been on, etc. (Handy if you need to shutdown a system, you can alert those users prior to shutdowning system.)
NSLookup uses two modes, the interactive mode (working with DNS) and the non-interactive mode, used when you need to look up only a single piece of information. (Interactive mode provides you with more information).
Hostname displays the current host name
NETSTAT is used for determining the types of connections that you have made on the TCP/IP stack (TCP & UDP NBT connections)
NBTSTAT displays protocol statistics and current TCP/IP connections using NBT. Only available if the TCP/IP protocol has been installed.
ROUTE used to mainipulate the routing table on a Windows NT computer.
TRACERT used to view the path any packet would take as it travels through the network. Tracert tells your system to use ICMP to trace where the packet travels as it travels the network. It determines the route taken to a destination by sending many ICMP Echo Requests packets, each with a different TTL value. (TTL is a hop counter).
ARP is responsible for mapping IP address to a MAC address.
NETMON (Network Monitor) captures network data for detailed examination. You can look inside the frames to perform a detailed analysis of the network's operation.